-
Notifications
You must be signed in to change notification settings - Fork 0
/
sssd.conf
220 lines (178 loc) · 6.79 KB
/
sssd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
[sssd]
domains = ourdom.company.net, ourdom2.company.net, ourdom3.company.net
# if ad_enabled_domains is set then no other domains will be queried
# ad_enabled_domains = ourdom.company.net , ourdom2.company.net , ourdom3.company.net
config_file_version = 2
# the default value is 3
reconnection_retries = 6
# the ifp service is information pipe
# this is needed to support the sssctl command
services = nss, pam, ifp
# default_domain_suffix = ourdom.company.net
#This option specifies whether the responder should query all caches before querying the Data Providers.
# Default: false
cache_first = TRUE
# This parameter will replace spaces (space bar) with the given character for user and group names. e.g. (_).
# We do have group names with spaces such as aad ca ring 2id
# this option will make it easier for scripts to work with these names
override_space = _
# groups will be returned as groupname not groupname@ourdom2.company.net
full_name_format = %1$s
debug_level = 2
[nss]
filter_users = root, postfix, lightdm, rtkit
filter_groups = root, tty
# filter_users locallinuxuser where this is a local username
enum_cache_timeout = 1200
# entry_cache_timeout = 5400
# entry_cache_user_timeout = 5400
# entry_cache_group_timeout = 5400
# refresh_expired_interval = 4000
# the default for the negative cache is 15 seconds
# we see a huge amount of queries for the entries in the local /etc/passwd file
entry_negative_timeout = 120
# Specifies for how many seconds nss_sss should keep local users and groups in negative cache
# before trying to look it up in the back end again.
# the default is 0 - is this zero or infinite ??
#local_negative_timeout = 120
#testing ONLY this DISABLES the in memory cache
# memcache_timeout = 0
debug_level = 2
[pam]
pam_verbosity = 3
pam_id_timeout = 20
pam_account_expired_message = Account expired, please contact help desk.
pam_account_locked_message = Account locked, please contact help desk.
pam_response_filter = ENV:KRB5CCNAME
debug_level = 2
[domain/ourdom.company.net]
# for ad we have these options
#ad_domain
#ad_enabled_domains
#ad_server
#ad_backup_server
#ad_hostname
#ad_enable_dns_sites
#ad_access_filter
#ad_enable_gc
#ad_gpo_access_control
#ad_gpo_cache_timeout
#ad_gpo_map_interactive
#ad_gpo_map_remote_interactive
#ad_gpo_map_network
#ad_gpo_map_batch
#ad_gpo_map_service
#ad_gpo_map_permit
#ad_gpo_map_deny
#ad_gpo_default_right
#ad_site
#ad_maximum_machine_account_password_age
#ad_machine_account_password_renewal_opts
ad_domain = ourdom.company.net
# For DNS SRV records we are in site LOCAT
# The SRV record is '_ldap._tcp.LOCAT._sites.ourdomw.company.net'
ad_site = LOCAT
# ad_enable_dns_sites = TRUE
# Local AD servers . Not needed as ad_site is defined
#ad_server = server1.ourdom.company.net , server2.ourdom.company.net
# use service discovery for AD servers
# ad_server = _srv_
#ad_server = server1.ourdom.company.net
#ad_backup_server = server2.ourdom.company.net
# ad_hostname = ibis.ourdom.company.net
# gc = General Catalog
ad_enable_gc = TRUE
#
# there is also this parameter. Should we use it to avoid the AD_GC errors?
# the manual says this is the domain portion of the machine host name
# but ibis seems not to have a domain name set
# dns_discovery_domain = ourdom.company.net
#Determines if a domain can be enumerated, that is, whether the domain can list all the users and group it contains.
# Note that it is not required to enable enumeration in order for secondary groups to be displayed.
# the default is FALSE
# enumerate = TRUE
auth_provider = ad
access_provider = ad
id_provider = ad
# this allows anyone to access. For testing only
#access_provider = permit
# use the AD access provider. Permit access only from members of a given group
# ad_access_filter (memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
# this is a simple member group valid at Bigcorp
#ad_access_filter (memberOf=CN=rdcd_members_1414,OU=DepartmentSecurity,OU=RDC,OU=ApplicationGroups,OU=Groups,OU=nzit,OU=Company,DC=ourdom2,DC=bigcorp,DC=net)
# ad_access_filter (memberOf=CN=nonsense,OU=DepartmentSecurity,OU=RDC,OU=ApplicationGroups,OU=Groups,OU=nzit,OU=Company,DC=ourdom2,DC=bigcorp,DC=net)
# AD security group
# ad_access_filter (memberOf=cn=admins,ou=groups,dc=dom1,dc=com)
# to permit access from a certain group to HPC and workstations
# Tested - does not work with this configuration
#access_provider = simple
#simple_allow_users = myname
#simple_deny_users = myname
#simple_allow_groups = sequoia_protein_readers@ourdom2.company.net
#simple_deny_groups = sequoia_protein_readers@ourdom2.company.net
krb5_realm = ourdom.company.net
realmd_tags = manages-system joined-with-adcli
dyndns_update = FALSE
entry_cache_timeout = 5400
entry_cache_user_timeout = 5400
entry_cache_group_timeout = 5400
refresh_expired_interval = 4000
# the default value is 0 - does this mean the background refresh tasks is disabled ?
#refresh_expired_interval = 0
# we cache for offline use
cache_credentials = TRUE
use_cached_auth = TRUE
cached_auth_timeout = 10
#
# krb5_validate set to FALSE
# If we do not set this then we get this error in syslog
# ibis [sssd[krb5_child[28559]]]: Cannot decrypt ticket for IBIS$@ourdom.company.net using keytab key for IBIS$@ourdom.company.net
krb5_validate = FALSE
krb5_store_password_if_offline = TRUE
default_shell = /bin/bash
#ldap_id_mapping = TRUE
# this is really important. Set to TRUE and things stop working
# the default is FALSE
use_fully_qualified_names = FALSE
# We can set it to TRUE if the default_domain_suffix is set in the [sssd] section above
# rfc2307bis is correct
# an LDAP search shows that we have groups with member: and CN=
#ldap_schema = rfc2307bis
# we are using id_provider = d so this schema is set to ad by default
#ldap_schema = ad
ldap_group_nesting_level = 0
#ldap_groups_use_matching_rule_in_chain = TRUE
#ldap_initgroups_use_matching_rule_in_chain = TRUE
#ldap_use_tokengroups = TRUE
#ldap_user_name = msSFU30Name
#ldap_user_name = sAMAccountName
# we have very slow startup times for terminals in LighDM
# there is a long time spent in the groups utility
ignore_group_members = TRUE
fallback_homedir = /z/home/%u
#fallback_homedir = /home/%u
# min_id = 299
# max_id = 9999
# We have a cron job which runs msktutil to renew the machine account password
# sssd should be able to do this by itself
# ad_maximum_machine_account_password_age = 30
# Check the password every 24 hours : check 15 minutes after startup
# ad_machine_account_password_renewal_opts = 86400:750
debug_level = 2
# define the other AD realms
[domain/ourdom2.company.net]
ad_domain = ourdom2.company.net
ad_site = LOCAT
auth_provider = ad
access_provider = ad
id_provider = ad
ldap_group_nesting_level = 0
debug_level = 2
[domain/ourdom3.company.net]
ad_domain = ourdom3.company.net
ad_site = LOCAT
auth_provider = ad
access_provider = ad
id_provider = ad
ldap_group_nesting_level = 0
debug_level = 2